Cybersecurity is one of the biggest threats that the Philippine banking system must confront this year as malicious hackers from here and overseas become more aggressive and attacks become more damaging, the Bangko Sentral ng Pilipinas said.
To address this, local banks must allocate more resources to boost not only their technical capabilities, but also to ensure that they have the right technical people who can secure internal systems and reassure clients who are increasingly sensitive about the security of their transactions.
“Cybersecurity is a big fear for everyone, BSP included,” BSP Governor Nestor Espenilla Jr. said in an interview with the Inquirer. “I’ve been talking to other regulators about it, and it’s high on the agenda. The level of concern for cybersecurity is very high, but it’s hard to stop because it’s a technology play.”
Regulators and industry leaders recently acknowledged the rising threat of cybercrime, whether perpetrated by nation states or individual hackers who do it for profit for merely as a hobby.
According to Espenilla, a key element of improving the posture of the local financial system is changing the mindset of the local population regarding the vulnerability of bank computers to hackers. In particular, he said both bankers and their clients must discard the mindset that the financial system is impenetrable to malicious elements.
“We may have created a fortress, but the raiders do nothing but try to find cracks in that fortress, day in and day out,” he said. “They will be able to find vulnerabilities, one way or the other.”
Given this, the central bank chief wants a paradigm shift among banking stakeholders from trying to stop hackers to focusing on making the system more robust to allow it to recover quickly in the event of a successful hack.
“The talk now is no longer whether you can stop it,” Espenilla said. “The assumption now is that they will be able to penetrate your system. It’s just a question of when.”
“The task is to create resilience: Surviving an attack and moving on,” he added. “You have to create a robust system that can detect the compromised element, contain it, and then survive it and recover.”
This policy shift is contained in a new central bank circular, released recently, that also shifted the burden of protecting banks against hackers from their technical personnel to the institutions’ directors.
“The most important element in this new policy is this: We state that it’s the business or the board to make sure that the bank is ready to confront the threats. That’s where it starts,” the BSP chief said. “If it’s just the concern of the technologist, there’s no support, there’s no commitment and there’s no money. It’s not just a matter of buying the latest software. You have to prepare the whole organization.”
He added that any given bank should make all its employees aware about cyberthreat issues, especially since hackers’ most frequent “points of entry” are personal and office e-mails and attachments.
“Layered defenses are important for a bank,” Espenilla said. “You can be a hard target, but never assume that you are impenetrable. You have to assume that you will be penetrated, and once that happens, you should have the capability to detect, contain and to recover. That’s the mindset. Don’t feel complacent. Be paranoid.” —DAXIM L. LUCAS